b'              U.S. Department of Energy\n              Office of Inspector General\n              Office of Audit Services\n\n\n\n\nAudit Report\nSecurity Over Personally Identifiable\nInformation\n\n\n\n\nDOE/IG-0771                                 July 2007\n\x0c                             Department of Energy\n                                 \'Sv\'ashinyton, DC 20585\n\n\n                                  J u l y 30, 2007\n\n\n\nMEMORAhTDUM FOR\n\nFROM:\n                         inspector General\nSUBJECT:                 INFORMATION: Audit Report on "Security over Personally\n                         Identifiable Information"\n\n\n\nIndustry experts have reported that more than 100 million personal privacy records have\nbeen lost or stolen over the past two years, including information maintained by\ncorporations, educational institutions, and Federal government agencies. In fact, over the\npast several years, the Department of Energy has experienced the loss of personal privacy\nrecords. On June 23,2006, in response to security incidents involving the loss or\ncompromise of sensitive personal information by several Federal agencies, the Office of\nManagement and Budget (OMB) issued a memorandum recommending that agencies\nstrengthen controls over the protection of Personally Identifiable Information (PII).\nOMB specifically required agencies to implement protections over PI1 developed by the\nNational Institute of Standards and Technology (NIST), including those related to\nencryption, remote access, and risk assessments.\n\nThe Department of Energy maintains numerous information systems that contain PII. In\nresponse to a request from OMB, the Office of Inspector General, in coordination with\nthe President\'s Council on Integrity and Efficiency, performed a review of the\nDepartment\'s controls over the protection of PII. The results of our preliminary review\nwere provided to the Department on September 20, 2006, in our Special Report on the\nDepartment\'s Security over Personally Identzfiable Information (OAS-L-06-20).\nAlthough the September 2006 report disclosed certain actions taken by the Department to\nsafeguard PII, we expanded our review to determine whether the Department had\neffectively implemented safeguards for protection of PII.\n\nRESULTS OF AUDIT\n\nWe found that the Department had not fully implemented all protective measures\nrecommended by OMB and required by NIST. In particular, we observed that:\n         Seven of eleven field sites reviewed (3 Federal, 8 contractor) had not identified\n         information systems containing PII, or fully evaluated the risks of exposing PI1\n         stored in such systems;\n\n\n\n\n                               a9    Printed with soy ink   011   recycled paper\n\x0c         Controls for securing remote access to site-level systems containing personal\n         information had not been fully implemented; and,\n\n         Five sites had not identified mobile computing devices containing PI1 nor\n         ensured that this information was encrypted as required by OMB.\n\nWe noted that not all OMB and NIST requirements had been incorporated in relevant\nHeadquarters and site-specific policy documents. Even when policics were clear,\nprograms and sites did not always enforce the requirements to ensure that all necessary\ncontrols were in place for protecting PII. Without improvements in policy deveIopment\nand implementation, the Department will have a difficult time securing personal\ninformation. In addition, there is a less-than-acceptable risk that affected individuals\nwould not be notified if their personal infonnation is exposed.\n\nDuring our review, we recognized that the sheer volume of data processed within the\nDepartment of Energy complex made the protection of PI1 a significant challenge. We\nnoted, as well, that the Department had taken positive steps to protect PII, including\nconducting internal reviews to detemiine whether adequate information protection\nsafeguards were in place, and implementing additional controls for safeguarding PII. For\nexaniple, a review conducted by the Office of the Chief Financial Officer at Headquarters\nidentified a number of activities that have been or will be taken to meet security\nrequirements. In addition, in March 2007, the Office of the Chief Infonnation Officer\nand the Office of Management issued additional guidance reemphasizing user\nresponsibilities for keeping laptop computers and the infonnation they process more\nsecure. Further, the Office of Science completed its updated Program Cyber Security\nPlan, the first such Department of Energy office to do so. Taken together, these actions\nwill improve the Department\'s protection of personal information. Nonetheless, more\nremains to be done and we made several recommendations designed to improve security\nover PI1 maintained by the Department.\n\nMANAGEMENT REACTION\n\nManagement concurred with the report\'s findings and recommendations. Management\nindicated that additional steps will be taken relative to our recommendations and believed\nthat it is iniportant that protection of sensitive information, including PII, be achieved as\nan integral part of the Department\'s cyber security program. In separate comments, the\nNNSA generally agreed with the report and indicated that a series of actions had been\nimplemented to address our concerns. Management\'s comments are included in\nAppendix 3.\n\nAttachment\n\ncc: Deputy Secretary\n    Acting Administrator, National Nuclear Security Administration\n    Acting Under Secretary for Energy\n    Under Secretary for Science\n    Chief of Staff\n\x0cREPORT ON SECURITY OVER PERSONALLY IDENTIFIABLE\nINFORMATION\n\n\nTABLE OF\nCONTENTS\n\n              Personal Information Protection\n\n              Details of Finding ................................................................... 1\n\n              Recommendations .................................................................. 6\n\n              Comments .............................................................................. 7\n\n\n              Appendices\n\n              I . Objective, Scope, and Methodology ................................. .8\n\n              2. Prior Repol-ts .................................................................... 10\n\n              3. Management Comments .................................................. 12\n\x0cPersonal Information Protection\n\nProtection of             Protection of Personally Identifiable Information (PI]) is a\nPersonally Identifiable   priority for both Federal and comn~ercialorganizations.\nInformation               Because of the significance of this issue, the Office of\n                          Inspector General performed reviews of protection\n                          measures over PI1 at Department of Energy (Department)\n                          Headquarters, seven national laboratories. and four other\n                          major Department sites.\n\n                          As a result of our review, we determined that the\n                          Department had not implemented all protective measures\n                          recommended by the Office of Management and Budget\n                          (OMB) and required by the National Institute of Standards\n                          and Technology (lVIST). Specifically, the Department had\n                          not identified all site-level systems containing PI1 or\n                          evaluated the risks associated with maintaining such\n                          systems; remote access protection measures had not been\n                          fully deployed in accordance with Departmental direction;\n                          and, sites had not identified mobile computing devices\n                          containing PI1 nor ensured that such information was\n                          encrypted.\n\n                                               Site-Level Systems\n\n                          Seven of eleven field sites reviewed had not identified\n                          which site-level information systems contained PII. For\n                          instance, although the Pacific Northwest National\n                          Laboratory (PNNI,) developed a list of certain systems\n                          believed to contain PII, such as the human resource system,\n                          the site had not finished reviewing all systems to verify\n                          whether they contained PI1 and whether the information\n                          was adequately protected. Similarly. officials at the Los\n                          Alamos National Laboratory (LANL) noted that, while they\n                          had identified all systems managed by the Information\n                          Systems and Technology Division that contained PII, there\n                          were a number of systems managed by other program areas\n                          at the laboratory that may contain personal information that\n                          had not been specifically identified or evaluated. We also\n                          found that although the Oak Ridge National Laboratory\n                          (ORNL) had begun to complete an inventory of all devices\n                          that contained PII, it had not conducted a review to identify\n                          all site-level systems that contained such information. In\n                          addition, the National Energy Technology Laboratory\n                          (NETL) had not identified its systems that contained PII,\n                          limiting its ability to ensure that data was protected at the\n                          appropriate levels.\n\n\n\n\nPage 1                                                           Details of Finding\n\x0c                                                           Risk Assessments\n\n                                   Although NIST requires that databases containing PI1 be\n                                   assessed for risk of improper exposure, seven sites and\n                                   programs we reviewed had not evaluated or updated\n                                   security plans to address the risks associated with\n                                   maintaining PII. For instance, six systems maintained by a\n                                   facility contractor at the Hanford Site were inappropriately\n                                   protected at a low level of controls even though they\n                                   contained PII. In addition, Headquarters officials from\n                                   both the Office of the Chief Information Officer (OCIO)\n                                   and the National Nuclear Security Administration (NNSA)\n                                   commented that their respective organizations had not\n                                   reviewed and updated risk assessments to ensure that\n                                   protection of PI1 was appropriate. According to the NNSA\n                                   official responsible for cyber security at Headquarters at the\n                                   time of our review, a list of systems containing PI1 had not\n                                   been developed by the program. As noted in our recent\n                                   report on Cert~ficationand Accredittrtion of Unclussijied\n                                   Itformation S)~stems(DOEIIG-0752, January 2007), the\n                                   failure to conduct risk assessments limits the ability to\n                                   analyze the nature and level of threats and vulnerabilities to\n                                   a system.\n\n                                                         Remote Access to PI1\n\n                                   The Department had not fully implemented controls\n                                   necessary to protect PI1 during remote access. In\n                                   particular, two-factor authentication\' or adequate Virtual\n                                   Private Network ( ~ ~ ~ ) " i m e - o ufor\n                                                                           t s remote access to\n                                   systems were not always implemented, and controls over\n                                   information downloads had not been instituted - all\n                                   necessary for ensuring secure remote access to infornlation\n                                   systems. Specifically, we found that Lawrence Berkeley\n                                   National Laboratory (LBNL) and ORNL had not\n                                   implemented the use of two-factor authentication for\n                                   accessing all systems from a remote location even though\n                                   many of these systems contained PII. Timeout functions -\n                                   a period of inactivity after which a connection\n                                   auton~aticallyterminates - for VPN remote sessions was 90\n                                   minutes at LBNL, three times the OMB recommendation of\n                                   30 minutes. Access to development systems at LBNL\n\n\' Two-factor authentication requires two independent ways to establish identity and privileges, such as\nboth a physical device and a password, ~vhiletraditional password authentication only requires knowledge\nof a password to gain access to a system.\n  A VPN is a communications network that provides secure private conmmunications over a non-private\nnetwork.\n\nPage 2                                                                           Details of Findiqg\n\x0c         which may contain PI1 also did not have remote access\n         time-out functions activated. Furthermore, requirements\n         for controlling downloads of PlI to remote systems had not\n         always been established at the sites reviewed. For instance,\n         ORNL had not placed restrictions on the type of\n         information that could be downloaded to remote computers.\n         In addition, none of the programs or sites we evaluated\n         logged and followed up on downloads of PI1 from systems,\n         as recommended by OMB.\n\n                               Encryption of PI1\n\n         Although required by OMB, five of the sites we reviewed\n         had not ensured that PI1 on all mobile devices was\n         identified and encrypted. For instance, although Sandia\n         National Laboratories developed policy for protecting PII,\n         it had only begun the process of identifying PI1 on\n         manager\'s laptops, which accounted for only about 1 1\n         percent of the more than I 1,000 laptop computers needed\n         to be reviewed at the site. We also found that LANL had\n         started encrypting laptops if they knew they were going to\n         be removed from the site, but had not encrypted the\n         approximately 6,300 laptops not anticipated to be taken off-\n         site. As noted in a recent Government Accountability\n         Office report, encrypting data on mobile devices provides\n         reasonable assurance that stolen or lost computer\n         equipment will not result in personal data being\n         compromised.\n\n         In addition, site officials had not taken affirmative action to\n         ensure that encryption capabilities were utilized, where\n         appropriate. For instance, at the time of our review, ORNL\n         was not aware of the number of laptop cotnputers that\n         contained personal information and had not ensured that\n         encryption capabilities were installed on all mobile devices.\n         Although laboratory officials provided and made the use of\n         encryption software optional, officials commented that they\n         had no intention of mandating encryption until fornlally\n         directed to do so via their contract. ORNL also had not\n         received confirmation from users that PI1 was encrypted if\n         it was maintained on a mobile device. In addition, neither\n         Lawrence Livermore National Laboratory (LLNL) nor\n         NETL had evaluated or received confirmation from users\n         as to whether mobile devices contained PII, and had not\n         ensured that encryption was utilized on all laptops.\n         Further, most of the sites reviewed had not performed spot\n         checks to verify user responses or ensure that appropriate\n\n\nPage 3                                             Details of Finding\n\x0c                      protections had been implemented. Absent knowledge of\n                      where 1\'11 is maintained and the deployment of encryption\n                      software to secure such data, the Department can not ensure\n                      that personal information is adequately protected.\n\nSecurity Policy and   These probleills occurred because policies at Headquarters\nProgram Direction     and sites reviewed did not address all OMB and NIS\'17\n                      requirements. Even when policy had been developed,\n                      programs and sites had not always enforced requirements to\n                      ensure that all necessary controls were in place for\n                      protecting PII.\n\n                                                 Policies\n\n                      To their crcdit, various Department program elements and\n                      sites had developed policies and procedures for protecting\n                      PII. For instance, the OCIO issued Department-level\n                      guidance in July 2006 establishing requirements for the\n                      protection of PI1 in all Federal and contractor-operated\n                      information systems. In addition, organizations controlled\n                      by each of the Department\'s Under Secretaries have issued\n                      separate and complementary guidance designed to ensure\n                      that protective measures are implemented. For example,\n                      the Office of Science was one of the first Ilepartment\n                      programs to issue policy for protecting PI1 that applied to\n                      both Federal and contractor employees. However, the new\n                      Headquarters guidance was incomplete and the existing\n                      site-level policies had not been updated to reflect new\n                      requirements.\n\n                      In particular, policies developed at Headquarters for\n                      protecting PI1 lacked certain critical elements. Specifically,\n                      the policies, including those issued by the OCIO, did not\n                      require the identification of all Headquarters or site-level\n                      systems containing PI1 that were maintained by both\n                      Federal and contractor officials as required by NiST.\n                      Although programs began to gather this information based\n                      on previously issued guidancc, the effort remained\n                      incomplete. The policy also did not specifically require\n                      that relevant risk assessments be reviewed and updated. as\n                      necessary, to account for the protection of such\n                      information. Certain policies developed by Headquarters\n                      also did not explicitly address rules for downloading\n                      information. including whether or not it was permitted. or\n                      for utilizing personal computers for telecommuting -\n                      practices which could expose PI1 to unauthorized\n                      individuals outside of the workplace.\n\n\nPage 4                                                        Details of Finding\n\x0c         Sites had also not updated existing local policies to ensure\n         protection of PI1 in accordance with OMB and NIST\n         requirements. For exanlple, at the time of our review,\n         neither LBNL nor ORNL had updated policies to address\n         requirements for protecting PII. Officials at ORNL\n         commented that they did not anticipate developing such\n         policy and having it fully implemented until Fiscal Year\n         2008. Although LRNL established a policy in March 2007,\n         we found that the policy was incomplete and that the lab\n         had not implemented Science program policy for all aspects\n         of protecting personal information, such as the use of two-\n         factor authentication for remote access to all systen~s.In\n         addition, although certain contractors at the klanford Site\n         had maintained existing policies for protecting sensitive\n         information, the policies did not specifically address, and\n         were less stringent than, guidance set forth by OMB and\n         NIST. Such policies did not require that PI1 be encrypted\n         during storage or transmission, or that risk assessments be\n         updated to reflect the protection of PII. PIVNL\'s policies\n         did not prohibit individuals from taking unencrypted\n         laptops off-site and did not require that emails containing\n         PI1 be encrypted. To its credit, PNNL took steps during\n         our review to begin encrypting all laptops, culminating in\n         the issuance of updated policy in March 2007.\n\n                              Program Direction\n\n         Even when policies had been developed, programs and\n         sites reviewed had not consistently or effectively enforced\n         controls designed to protect PII. Officials, at various sites,\n         stated that their respective programs had not been provided\n         with adequate or timely guidance and therefore, they had\n         taken independent action that they deemed appropriate, or\n         delayed taking action altogether. For instance, at the time\n         of our review, officials from several sites, including LANL\n         and the Richland Operations Office, stated that although\n         they had received general guidance from their respective\n         programs regarding the requirements for protecting PII,\n         specific requirements had not been provided. As such, the\n         sites were unaware of the process for protecting PI1\n         consistent with Departmental requirements. Facility\n         contractor officials at ORNL and the Hanford Site also\n         commented that their compliance was not mandatory\n         because the requirements for protecting PI1 had not been\n         incorporated into their contracts. However, subsequent to\n         our review, direction was provided to ORNL from the\n         Department requiring protection of personal information on\n\n\nPage 5                                           Details of Finding\n\x0c                       mobile devices. Although most sites attempted to comply\n                       with OMB\'s recommendations for protecting PII, some\n                       sites downplayed its importance. For example, a cyber\n                       security presentation provided to us by one site indicated\n                       that the requirements surrounding PI1 were overly\n                       burdensome and should not be considered a high priority.\n\nInformation Security   Until protective measures are fully implemented, the\nand Assurance          Department may have difficulty protecting personal\n                       information. Specifically, sites cannot implement the\n                       necessary security measures until they identify which\n                       systems contain PII. In addition, personal information\n                       stored on a lost or stolen mobile computing device is at\n                       increased risk of being obtained and misused by nefarious\n                       individuals because sites have not fully utilized encryption\n                       software. Furthermore, sites\' failure to determine whether\n                       devices contain PI1 will likely mean that affected\n                       individuals would not be notified if personal information\n                       was exposed, thus making it impossible for them to take\n                       timely action to minimize possible negative effects. The\n                       need to know the location of PI1 was highlighted in an\n                       October 2006 Congressional report on Agencj9Data\n                       Breuches Since Jarzuary 1, 2003, which disclosed that the\n                       failure of agencies to track,all possible losses of personal\n                       information makes it difficult to know what data was lost or\n                       how many individuals were impacted.\n\n\nRECOMMENDATIONS        To address the issues identified in this report, we\n                       recommend that the Acting Administrator, NNSA, the\n                       Acting Under Secretary for Energy, and the Under\n                       Secretary for Science; in coordination with the Department\n                       and NNSA Chief Information Officers:\n\n                           1. Update Departmental and site-level policies for\n                              protecting PI1 to include applicable OMB and IVIST\n                              requirements;\n\n                          2. Implement OMB and NIST requirements for\n                             protecting PI1 on systems, to include updating risk\n                             assessments and executing adequate remote access\n                             procedures; and,\n\n                          3. Verify that PI1 on mobile computing devices is\n                             identified and adequately protected by performing\n                             random checks to ensure data is encrypted.\n\n\n\nPage 6                                                      Recommendations\n\x0cMANAGEMENT   Management concurred with the report\'s findings\nREACTION     and recommendations and indicated that steps will be taken\n             to further enhance the security of PII. Specifically, the\n             Department plans to update existing policies and cyber\n             security plans to provide sufficient protection of sensitive\n             information. In addition, the OCIO plans to monitor the\n             progress of the Department in verifying that PI1 on mobile\n             computing devices is identified and adequately protected.\n\n             The NNSA generally agreed with the report and indicated\n             that a series of actions had been implemented at each of its\n             sites to address the issues identified in our report. NNSA\n             disagreed with our recommendation to identify PI1\n             contained on nob bile devices, but indicated that it had\n             adopted a more conservative approach and assumed that all\n             mobile devices contained PI1 and protected them\n             accordingly.\n\n\nAUDITOR      Management\'s comments are responsive to our\nCOMMENTS     recommendations. Management\'s comments are included\n             in their entirety in Appendix 3.\n\n\n\n\nPage 7                                                     Comments\n\x0cAppendix 1\n\nOBJECTIVE     To determine whether the Department of Energy (Department)\n              had effectively implemented safeguards for protection of\n              personally idcntifiable information.\n\n\nSCOPE         The audit was performed between June 2006 and April 2007 at\n              Department Headquarters in Washington, District of Columbia\n              and Germantown, Maryland; the Lawrence Livermore National\n              Laboratory, Livennore, California; the Lawrence Berkeley\n              National Laboratory, Berkeley, California; the Oak Ridge\n              Office, the Oak Ridge National Laboratory, and the Y-12\n              National Security Complex, Oak Ridge, Tennessee; the Sandia\n              National Laboratories and National Nuclear Security\n              Administration Service Center, Albuquerque, New Mexico; the\n              Los Alamos National Laboratory, Los Alamos, New Mexico;\n              and the National Energy Technology Laboratory, Pittsburgh,\n              Pennsylvania and Morgantown, West Virginia. We also\n              obtained information from the Richland Operations Office, the\n              Office of River Protection and the Pacific Northwest National\n              Laboratory, Richland, Washington.\n\n\nMETHODOLOGY   To accomplish our audit objective, we:\n\n                     Reviewed Federal regulations and Departmental\n                     directives and guidance pertaining to protecting\n                     personally identifiable infonnation;\n\n                     Reviewed prior reports issued by the Office of\n                     Inspector General;\n\n                     Reviewed program and site level policies relevant to\n                     protecting personally identifiable information;\n\n                     Held discussions with program officials from\n                     Department Headquarters and sites rcvicwed, including\n                     representatives from the Office of the Chief\n                     Information Officer, the Offices of the Chief Financial\n                     Officer, Human Capital Management, Environmental\n                     Management, Science, and Fossil Energy, as well as the\n                     NNSA; and,\n\n                     Analyzed infonnation provided by the organizations\n                     reviewed to determine compliance with OMB\n                     memorandum M-06- 16, Protectiorl of Sensitive Agency\n                     Information.\n\n\nPage 8                           Objective, Scope, and Methodology\n\x0cAppendix 1 (continued)\n\n                    The audit was conducted in accordance with generally accepted\n                    Government auditing standards for performance audits and\n                    included tests of internal controls and compliance with laws\n                    and regulations to the extent necessary to satisfy the audit\n                    objective. Accordingly, we assessed internal controls\n                    regarding the safeguards of personally identitiable information\n                    across the Department. Because our review was limited, it\n                    would not necessarily have disclosed all internal control\n                    deficiencies that may have existed at the time of our audit. We\n                    also assessed perfomlance measures in accordance with the\n                    Gover-nmerzt Performunce atzril Results Act of 1993 relevant to\n                    safeguards over P11. Although we did not identify measures\n                    specific to protecting PII, we noted that limited measures did\n                    exist related to cyber security. We did not rely on computer-\n                    processed data to satisfy our audit objective. Both the\n                    Department and NNSA waived the exit conference.\n\n\n\n\nPage 9                                 Objective, Scope, and Methodology\n\x0cAppendix 2\n\n                                   PRIOR REPORTS\n\n\n  Mutzugement Chulletzges at the Depurtment of Energy (DOEIIG-0748, December 2006).\n  The Office of Inspector General (OIG) identified seven significant management\n  challenges facing the Department of Energy (Department), including cyber security. In\n  addition, the OlG identified a "watch list" of emerging issues that warrant continued\n  attention. The report noted that although the Department had taken a number of positive\n  steps in Fiscal Year 2006 relevant to cyber security, weaknesses still existed relating to\n  logical access, establishing a complex-wide inventory of information systems, and\n  implementation of an effective certification and accreditation process.\n\n  Special Report on The Depar-ttnent\'s Securit.~over Personrllly Identlficlble Itformatiotz\n  (OAS-L-06-20, September 2006). Department and site policies for protecting personally\n  identifiable information (PII) were missing certain key components and implementation\n  was incomplete. Specifically, while each of the policies reviewed prescribed controls for\n  transporting PII, requirements established by the National Institute of Standards and\n  Technology (NlST) were not always met. Additionally, the Department had not\n  implemented all protective measure recommended by Office of Management and Budget\n  and required by NlST.\n\n  Itzternal Controls for Excessing and Srlrplusing UnclusszJied Cotnputers at Los Alamos\n  Nutionul Luhor~ltot?l(DOEIIG-0734, July 2006). The Los Alamos National Laboratory\n  (LANL) had not complied with internal controls, implemented by both the site and the\n  Department, when excessing and surplusing computers. Specifically, LANL did not\n  sanitize the hard drive of a computer prior to processing the computer as excess/surplus,\n  nor was the hard drive removed prior to transferring the computer for sale at auction.\n  The failures in these internal controls raised concerns as to whether other recently\n  released computers were sanitized and hard drives removed prior to being sent to auction.\n  Given the potential sensitivity of data residing on the Department\'s systems, including its\n  unclassified systems, it is important that formal excessing procedures be carefully\n  followed.\n\n  Internul Controls over Personal Cotnputers at Los Alamos National Laboratory\n  (DOEIIG-0656, August 2004). Weaknesses were identified that undermined confidence\n  in LANL\'s ability to assure that computers were appropriately controlled and safeguarded\n  from loss or theft; and that computers used to process and store classified information\n  were controlled in accordance with existing property management and security\n  requirements. Specifically, a number of classified desktop computers were not entered\n  into the LANL property inventory; LANL\'s Office of Security Inquiries was not notified\n  about a missing component of a computer system; and a listing of classified desktop and\n  laptop computers was not accurate.\n\n  Speciul Inquiry on Operations at Los Alutnos Nutiotlal Laboratory (DOEIIG-0584,\n  January 2003). LANL failed to take appropriate or timely action with respect to a\n  number of identified property control weaknesses. Specifically, there was inadequate or\n\n\nPage 10                                                                     Prior Reports\n\x0cAppendix 2 (continued)\n\n  untimely analysis of, and inquiry into, property loss or theft and security issues; a lack of\n  personal accountability for property; and, a s~~bstantialdcgree of dysfunction in the\n  laboratory\'s communication and assignment of responsibililies for handling of property\n  loss and theft concerns. LAlVL officials stated that incident reports did not indicate that\n  reviews were completed as to the type of infornlation contained on stolen equipment.\n\n  Inspection oJ\'Cyber Security Stundul-ds for Sensitive Personal Informution (DOEIIG-\n  053 1 , November 2001). The Department did not always meet the requirements of the\n  Privacy Act of 1974, the Freedom of Information Act (FOIA), or the Computer Security\n  Act of 1987. Specifically, with regards to Privacy ActIFOIA personal information, the\n  Department did not have baseline criteria for protection, nor did it group this information\n  with other unclassified sensitive information for protection. Additionally, individual sites\n  and program offices were allowed to develop differing security measures for protection\n  of Privacy ActIFOIA personal infonnation.\n\n\n\n\nPage 11                                                                       Prior Reports\n\x0cAppendix 3\n\n\n\n\n                                        Department of Energy\n                                            Washington,   DC 20585\n\n\n\n\n      MEMORANDUM FOR RICKEY R. HASS\n                    ASSISTANT INSPECTOR GENERAL\n                      FOR FINANCIAL, TECHNOLOGY A N D\n                      CORPORATE AUDITS ,_                            --\n      FROM:                        T H O M A S N. PYKE, JR.\n                                   CHIEF INFORMATION OFFICER\n                                                              -?$!y-\n      SUBJECT                      Response to Inspector General\'s Drafl Report, IG-34\n                                   (A06TG036) (B), Security over Personally Identifiable\n                                   Information\n\n      \'l\'hc Department o f Energy has reviewed the Inspector General\'s Draft Report,\n      1G-34 (AO6TG036) (B), Security over Personally ldentifiable Information, dated\n      April 26, 2007.\n\n      Thank you for the opportunity to comment on this draft report. W e fully s u p p a ~ i\n      thc Inspector Gencral\'s efforts to ensure adequate protection o f personally\n      identifiable information (PII). We appreciate recognition in the report of sevcral\n      of thc positive steps tliat have been taken over the last year to iinprove the\n      protcction o f persorially identifiable information. 1 a m encouraged that the rollout\n      of protective measures for PI1 continues throughout the Dcpartnient.\n\n      1 bclicvc it is important that protection o f sensitive unclassificd information,\n      including P11, be achieved as an integral part of the Department\'s cyber security\n      program. W e began o u r special emphasis on protcction o f PI1 through m y June\n      30, 2006, Mcmorandu~nfor Heads of Departmental Elements in which 1\n      transmitted to the Dcpartment for action OMH Memorandum M-06-16, Protection\n      o f Sensitive Agency Information. W e then codified this policy guidance in more\n      formal direction, issued as D O E C 1 0 Cyber Security guidance CS-38, Protection\n      o f Personally ldentifiablc Infonnation, on July 20, 2006.\n\n          7\'111s guidance w a s broadened to cover sensitive unclassified inforrnation in D O E\n          C 1 0 Cyber Security guidance CS-38A, Protection o f Sensitive Unclassified\n                               -\n\n          Inrorniatio~i,including Personally Identifiable Information, dated Novcnibcr\n          2006. In addition, five other DOE CIO Cyber Security policy issuances arc also\n          directly relevant t o protection o f PIl, consistent with O M B Memorandum M-06-\n           10: CS- I, Management, Operational and Technical Controls Guidance; CS-2,\n          Certification and Accreditation Guide; CS-3, Risk Management; and CS- 14,\n\n\n\n\n                      -\nPage 12                                                                   Management Comments\n\x0cAppendix 3 (continued)\n\n\n\n\n             PortablciMobile Guidance; and CS-24, Remote Access Guidance. In addition, the\n             Deputy Secretary signed a Mcrnorandum for Heads of Department Elements on\n             Augusl 17, 2006, Designation of Authority to Determine Whether Data on Each\n             Laptop Computer is Non-Sensilive.\n\n             T!lese DOE cyber security policy issuances covcr the first three recommendations\n             o f OMB Mcniorandum M-06-16 and the processes outlined in the Security\n             Checklist attachment to that ~nemorandum. We do not belicve the fourth\n             rccornniendation in that nicmorandu~nprovides sufficient value in reducing risk\n             relative to cost. We have expressed this concern to OMB several times and do not\n             plan to nia~idatethat it he adopted in general across the DOE complex. This is\n             consistent with the direction we reccived from OMB on July 10, 2006, that we\n             should "look at this overall issue" and "implement on the basis of a common\n             sense approach."\n\n             RECOMMEIVDATIONS\n\n             Recommendation 1: Updatc Departmental and site-level policies for protecting\n             PI1 to include applicable OMB and NIST rcquircments.\n\n             Management Decision:\n\n             Concur\n\n             The Office of the CIO and the DOE Cyher Security Working Group will ensure\n             that DOE cyber security policy direction is updated to provide sufficient\n             protection of sensitive unclassified information, including PII. The DOE Cyber\n             Security Working Group is in the process of updating all o f the Department\'s\n             cyber security guidance as the cyber security Technical and Managcment\n             Requirements (TMR) documents required by Llepartment Ordcr 205. IA are\n             created. Special attention is being given to ensuring to cnsuring that all applicable\n             OMB direction and NIST guidance is integrated into thesc policy issuances. Each\n             Undcr Secretary\'s Program Cyber Security Plan (PSCP) is required to follow\n             these TMRs as thcy provide cyber security policy and implemenlation direction\n             for cach Under Secretary\'s organization, including the field. Site implementation\n             plans and policies are based on these Under Sceretary PCSPs. Thc TMRs will all\n             be completed and issued no later than September 2007.\n\n             Recommendation 2: Takc action to effectively implement OMB and NIST\n             requirements for protecting PI1 on systcms, to include updating risk assessments\n             and iniplemcnting adcquatc rcrnotc acccss proccdures.\n\n             Management Decision:\n\n\n\n\nP a g e 13                                                             Management Comments\n\x0cAppendix 3 (continued)\n\n\n\n\n            All DOE organizations, including field sites, are required to follow the Under\n            Secretary PCSPs. The PCSPs follow or will follow DOE cyber security guidancc\n            that requires review of risk assessments whenever a security significant change is\n            made to the systenls, including changes in system security categorization levels,\n            as well as guidance on controls for remote access. All DOE organizations,\n            including field sites, are required to iniplenient cyber security protections as\n            specified in the Under Secretary PCSPs. Special attcntion will bc givcn by the\n            DOE Cyber Security Working Group as the TMRs are completed to ensure that\n            direction for risk assessment and remote acccss procedures is sufficient to cnsure\n            adequate protection of PII. The TMRs will all be completed and issued no later\n            than Septcmher 2007.\n\n            Recommendation 3: Verify that P11 on mobile computing devices 1s identified\n            and adcquatcly protected.\n\n            M n n a a e r ~ ~ e Decision:\n                                nt\n\n            \'l\'he Ot\'tice of the CIO (OC10) will request that the Under Secretaries report by\n            Scptcmbcr 2007 on their implementation of the Deputy Sccretary\'s August 17,\n            2006, niemoranduni, in which they were given the authority to determine whether\n            data on each laptop computer is non-sensitive. Thc requested report will include\n            progress in imple~nentingDOE cyber security policies and direction for protection\n            of P11.\n\n            Field implementation to protect P11 is guided by the PCSP issued by each Under\n            Sccretary. DOE Ordcr 205.1A includes a requirement that cach Under Secretary\n            monitor PCSP implementation effectiveness through site assistance visits,\n            program reviews, reviewing the results of lG and HSS audits, compliance\n            reviews. self-assessments, analyses or performance measurement criteria, peer\n            revicws. and vulnerability analyses.\n\n\n\n\nPage 14                                                               Management Comments\n\x0cAppendix 3 (continued)\n\n\n\n\n                                                       of Energy\n                                               De~artmnt\n                                        k d ~ aNucb.r\n                                                l     Suurity Adrnlnlmh\n                                               Washington, DC 26585\n\n\n\n\n          MEMORANDUM FOR                Rickey R Ham\n                                        M s C a n t Inapwtor h u a l\n                                          For ~ i n a n kTechnology,\n                                                         .           and Corporate Audiur\n          FROM:\n\n                                          For Managamant and h h i s t m t i o n\n          SUBJECT:                      Comments to Draft   ~~Infondon Security Report;\n                                        Job Code A06TG036\n\n          The National Nuclear Security Administration (NNSA) sppraciatm the opportunity to review thc\n          Inspactor Ormcral\'6 (10)dr& mport, "Security over PQ-consllyIdentifiable Information." We\n          understand that you have wncludcd that all protective meaauns that wem rtc~mmODdedby the\n          Office of Managemant and Budge have mt been fulty implemented and that you are making\n          ncommmdatiom to update policiw, implement requimmcnb, and verify that infmation is\n          identified and protcctsd.\n\n          NNSA g d y apeafi with the report and, since the field work for this adit wda completed, has\n          implnnentcd a series of actiow at tach of ita sites that addrceeds thc concerns raised by the [G.\n          While wc beticvc that we have met the intent of the IG\'s recommendations (encryption installed on\n          devices that contain Penonally Identifiable Infmatioa; ramoval of personal information from\n          devices that arc not quippal witb encryption;d c t i o n a of oarain devices from lea*      site\n          boundaries or ensuring devicar meet P c d d etaodds), wc d i s a m with the rccmmdation to\n          verify chat Pasonally Identifiable Informarion is on mobile computing devices. Ratha,we believe\n          that it is a more prudent count to assume that all mobile computing devicss contain Personally\n          Identifiable Informationand protca thm m r d i n g to the national guidance and local directiom.\n          Equally, we belisvc that indi$duals that utilize ~          ~ iseued --tinm\n                                                                                    g      devices\n                                                                                             t     that can be\n          utilized in a havcUmobile snvironma~tare also fiscally accauatabtc for those devices as well as the\n          information contained thenin should anything bsppkto thoso devices during Ihe timethat thc\n          devices are ina UaveUmobila cnvironmcnI.\n\n          Should you have any questions related to this reqmnse, p l w contact Richard Spsidcl, h e t o r .\n          Policy and Internal Controls Management.\n\n          cc:    Linda Wibanka, Chief Information OiXca\n                 David Boyd, S d o f Procumnmt Executive\n                 K m l Boardman, Director, Service Ccmkr\n\n\n\n\nPage 15                                                                       Management Comments\n\x0c                                                             1G Report No. DOEIIG-0771\n\n                       CUSTOMER RESPONSE FORM\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of\nits products. We wish to make our reports as responsive as possible to our customers\'\nrequirements, and, therefore, ask that you consider sharing your thoughts with us. On the\nback of this form, you may suggest improvements to enhance the effectiveness of future\nreports. Please include answers to the following questions if they are applicable to you:\n\n1 . What additional background information about the selection, scheduling, scope, or\n    procedures of the inspection would have been helpful to the reader in understanding\n    this report?\n\n2. What additional information related to findings and recommendations could have\n   been included in the report to assist management in implementing corrective actions?\n\n3. What format, stylistic, or organizational changes might have made this report\'s\n   overall message more clear to the reader?\n\n4. What additional actions could the Office of Inspector General have taken on the\n   issues discussed in this report which would have been helpful?\n\n5. Please include your name and telephone number so that we may contact you should\n   we have any questions about your comments.\n\n\nName                                          Date\n\nTelephone                                     Organization\n\n\nWhen you have completed this form, you may telefax it to the Office of Inspector\nGeneral at (202) 586-0948, or you may mail it to:\n\n                           Office of Inspector General (IG-I)\n                                 Department of Energy\n                                Washington, DC 20585\n\n                              ATTN: Customer Relations\n\nIf you wish to discuss this report or your comments with a staff member of the Office of\nInspector General, please contact Judy Garland-Smith (202) 586-7828.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly\nand cost effective as possible. Therefore, this report will be available electronically through the\n                                Internet at the following address:\n\n               U.S. Department of Energy Office of Inspector Cieneral Home Page\n                                  http://www.ig.energy.gov\n\n  Your comments would be appreciated and can be provided on the Customer Response Form.\n\x0c'